By tomorrow, October 1st, the health insurance companies should be provided with particularly sensitive health data from 73 million people with statutory insurance for research purposes. The first data were sent to the collection point, the Central Association of Health Insurance Funds (GKV-Spitzenverband) between August 1, 2022 and October 1, 2022. It is unclear whether data from all 73 million insured persons was transmitted, and the GKV central association heise online did not give a clear answer when asked.
The data is to be forwarded to the research data center (FDZ) set up at the Federal Institute for Drugs and Medical Devices by December 1, 2022 – as the central association has informed heise online. The data is to be continuously supplemented and stored for up to 30 years. There is no right of objection. This is where the Society for Freedom Rights (GFF) comes in, they want to continue to take action against a lack of data protection and the lack of an opportunity to object. She sees this as a violation of the right to informational self-determination and Article 21 of the GDPR.
In order to initially prevent the data from being passed on in two cases, the GFF, together with Constanze Kurz from the Chaos Computer Club (CCC) and a person who suffers from the rare disease hemophilia, initiated two urgent proceedings at the social courts in Berlin and Frankfurt and they decided for themselves.
Research data important, but data protection not sufficient
In general, the GFF considers the use of health data for research purposes to be useful, but the “protection standards previously provided for by law” for the health database would not be sufficient. The data would only be pseudonymised, with details such as name and date of birth being removed. However, a report by the cryptography professor Dominique Schröder showed that it is still possible to draw conclusions about individual persons. This means that misuse of the data cannot be ruled out, especially since there is currently no obligation to use modern encryption techniques.
Central data collection as a single point of failure
Above all, Schröder sees the central data collection at the National Association of Statutory Health Insurance Funds and in a research data center as a possible single point of failure and not necessary. Decentralized data storage that also corresponds to the state of the art is better. Gematik is also currently working on a concept in which data is not stored centrally. As methods for handling sensitive data, Schröder cites the concept of “differential privacy”, which is also used by Google and Apple. He also proposes the use of modern cryptographic methods such as the use of homomorphic encryption or secure multi-party calculation.
With further lawsuits, the GFF wants to obtain a right of objection and “that the data of the insured be protected as best as possible in order to prevent misuse.” High security standards should apply to the “merging of the data sets before pseudonymization, the central storage of the pseudonymized data sets and the processing of the data by the authorized users, high IT security standards”.
Poorly protected people with rare diseases
“Anyone suffering from a rare disease is particularly easy to identify in apparently anonymous databases. This is particularly dangerous if the disease has a stigmatizing effect or knowledge of it even has the potential for blackmail,” says Bijan Moini, lawyer and procedure coordinator at GFF. Nobody wants to prevent health research, “but the law provides neither adequate protection standards nor modern encryption methods – that is negligent and dangerous. If health data falls into the wrong hands, it can no longer be undone.”
The Federal Ministry of Health declined to comment on the “ongoing process” in relation to heise online. The data collection without the possibility of objection was initiated by the former Health Minister Jens Spahn with the Digital Supply Act (DVG), which came into force in 2019.
To home page